As malware continues to attack consumers that bank online some strains are able to hide the fraudulent transactions from users when they check their balance to keep victims from realizing their accounts have been taken over. Zeus, the most notorious piece of banking malware, has been wreaking havoc for several years and continues to be a persistent problem while also spawning many variations and new forms of malware. One such variation is the SpyEye program which, similar to Zeus, uses HTML injections to trick victims into handing over their personal and financial information. Now certain strains of both Zeus and SpyEye are also able to mask fraudulent transactions when consumers login to their banking websites.
Both pieces of malware rely on HTML injections, or Man-in-the-Browser (MitB) attacks, where the malware victim is asked for sensitive information which they are providing right to the fraudsters. For example, a consumer may be asked to verify certain information after logging in to their account, and although the request appears to be from the site the consumer is using, it is actually coming from the malware. The fraudster may obtain account numbers or passwords and then use this information to drain the victim’s account.
When the victim returns to check to their account the malware once again uses an HTML injection to hide fraudulent transactions. Security firm Trusteer observed strains of the SpyEye malware that did this by covering all transactions that the malware was responsible for. SpyEye would infect the victim’s computer and obtain their debit card number with a MitB attack. Using HTML injections the malware would then remove line items that involved fraudulent transactions and subtract this total from the account balance. If the consumer checked their account balance over the phone, at the bank or from a device that was not infected it would show the real balance, but this could be several days or weeks later. The longer the victim goes without realizing their account has been taken over the more damage a fraudster can do.
For More Information: